Microsoft Escapes Kaspersky's Top 10 Vulnerabilities List

An anonymous reader writes "Security firm Kaspersky has released its latest IT Threat Evolution report. There were some interesting findings in the report, as always, but the most interesting thing that stuck out was all the way at the bottom: 'Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.'"

Windows is no longer relevant

[SquarePixel]

With the rise of OS X Windows is no longer relevant.

Re:Windows is no longer relevant

[ArcadeMan]

I would agree with you except for the fact that I have no idea what this "Windows" thing is supposed to be.

Re:Windows is no longer relevant

With the rise of OS X Windows is no longer relevant.

Parent is correct - although a little hyperbolic. Windows is no longer the 800 lb gorilla - Apple iOS is.

The market trend is towards more mobile type of computing and less desktop related type of things. Yes, yes, yes, I know that you need a desktop for "real" work, but many many others don't. Most of what I need to do can be done on a tablet or smartphone - where Windows has a very small market share.

Also, generally desktops are being kept longer and longer because there's really no need to keep doing so. Microsft sees the writing on the wall and they are scrambling to get move into other profitable (for them) lines of business before their gravy trains (Windows and Office) slows down too much.

Re:Windows is no longer relevant

I'm not developing on a fucking smart phone, so suck an egg.

Re:Windows is no longer relevant

[jones_supa]

Windows 7 is the best desktop OS. Secure enough, runs fast, smooth, stable, and all software and hardware works. OSX is pretty good too, but you have to buy expensive hardware to get it, and the software selection (especially regarding games) is more limited.

Re:Windows is no longer relevant

[cvtan]

You are not supposed to do developing at all. Use your smartphone to watch TV and movies as God intended.

Re:Windows is no longer relevant

Nice one shillboy.

The real story here is that a buggy-whip maker is saying good things about the buggy-OS maker it's livelihood depends on. News at 11.

Re:Windows is no longer relevant

[Sir_Sri]

This is one of those things that will be hard to judge.

First off, there are more android installs than iOS, and a lot of them are older versions which aren't getting updates etc. I see what google et.al. are doing but that market fragmentation will eventually be a security nightmare.

Secondly, MS moves something like 250 million copies of windows a year, and yes, turnover is going down, but that means there are still a billion windows PC's in the wild. The smartphone market has much higher turnover, in part because of carrier subsidies and the noticeable performance improvements still happening, and in part because cell phones are just much more likely to physically fail than a desktop, so I would be surprised if there are 300 million iOS devices in the wild at all. Officially they've sold 400 million iOS devices (http://news.cnet.com/8301-13579_3-57511323-37/apple-by-the-numbers-84m-ipads-400m-ios-devices-350m-ipods-sold/) through june, but a LOT of those are replacements for older iOS devices at this point (it would be a bit like MS talking about how many copies of windows it has sold since 2007 versus how many are actually in use).

Lastly, a lot of mobile devices may have vulnerabilities than can be exploited but that don't put users at risk because users don't behave in a way that exposes them to much risk. If you aren't regularly grabbing new apps, or trying to click links in e-mails or the like, well, you're not a power user but you're not at a great deal of risk either. The only person on an island doesn't really gain much by locking their door sort of thing. And we all know hackers are after things worth money. Desktops are worth money, banking information is worth money, (and banking is becoming more popular on smartphones to be sure), pictures of naked women are worth money (and those are certainly on phones....), but it's hard to know if hackers, especially serious ones, are going to refocus on desktops, because now if you have a desktop you're probably a serious productivity person, which means you have something worth stealing.

Re:Windows is no longer relevant

[ILongForDarkness]

Well to be fair for the the majority of /. readers we aren't in the cheap desktop market. For one reason or another we'll find a way to drop 2k+ on our laptops and desktops. We're devs, or gamers, or video processing nerds, or guys that measure their worth by their massive stash of pirated material and seed ratio etc. Either way we seem to all want some combination of SSD, big disk capacity, massive monitor, top of the line CPU, etc. Apple gear might not be great value but they don't target the low end of the market and we generally aren't there anyways.

Re:Windows is no longer relevant

[Luckyo]

Not really, no. My current gaming rig cost me about 800€, my laptop was 350€ and my smartphone was 100€ (from store, not operator, no subsidy).

Quite a few of us like bang for a buck, rather then bang at any cost.

Re:Windows is no longer relevant

[Rockoon]

Well to be fair for the the majority of /. readers we aren't in the cheap desktop market.

[Citation needed]

Re:Windows is no longer relevant

[gtall]

Rather, you are buying software + hardware when you go with Apple. Good software costs money. You seem to be coming from the Windows world where the software costs can easily be broken out. I choose not to go that route simply because I do not like the way Windows works. I'd rather have a really nice gui on top of a 'nix for when I have to get down and dirty. MS software always struck me as rinky-dink, no forethought, and as Jobs put it, no taste.

Re:Windows is no longer relevant

Pictures of naked women aren't worth anything. Google Images of naked women - 821,000,000 hits. Cheaper than free.

Re:Windows is no longer relevant

[ILongForDarkness]

http://slashdot.org/

Re:Windows is no longer relevant

[Sir_Sri]

Extortion, sourcing of underage material without being responsible for its production, advertising revenue from high traffic sites.

Imagine you did a data dump of all of the women in (e.g.) the netherlands on facebook. And posted it on a website, where it could be indexed, rated searched etc. You'd probably get a huge crush of traffic, and traffic = revenue.

You're thinking from the perspective of a product - you don't need to pay because someone else is monetizing you visiting their site- which is true, what they need is a way to get product, and if you're googling images of naked women, you're a product they can sell if they can just get you to click on their link rather than someone else's....

Re:Windows is no longer relevant

"Rather, you are buying software + hardware when you go with Apple. Good software costs money."

https://itunes.apple.com/us/app/os-x-mountain-lion/id537386512?ls=1&mt=12 (OS X 10.8 upgrade $19.99)

http://www.microsoftstore.com/store/msstore/en_US/pd/productID.216644200?WT.mc_id=mercent&mr:trackingCode=F1CB13AA-D1D4-E011-B18D-001B21A69EB0&mr:referralID=NA&mr:adType=pla&mr:keyword={keyword}&mr:match={matchtype}&origin=pla&mr:ad=15239889307&mr:filter=21844073347 (Windows 7 upgrade - student price $64.99)

Re:Windows is no longer relevant

[Aphrika]

Windows 8 is the best desktop OS. More secure, faster, more stable and has more software and hardware than Windows 7...

...IF, you can handle the FrankenOS of Metro/Win32...

Re:Windows is no longer relevant

[Doctor_Jest]

Ever since I swore off Apple products (thank you OS X Lion for that revelation...), I've been repurposing and having a blast.

I spent $300 on a scratch and dent Dell Athlon (from the Dell Outlet, with surprisingly few scratches), put Debian on it, added 2GB of RAM (for a total of 6), a $35 power supply upgrade and a $20 video card off eBay. :) My secondary machine is an original Athlon XP I got for $40 off eBay, also running Squeeze. (It needs more RAM though.)

I always have a distant plan to build another system in the near future (something with oodles of RAM and enough processor cores to choke a horse), but in reality, my machines are running fabulously... Even my $70 Dell optiplex I bought from a friend so I could make it my "GOG.com game machine". :) I find goofing around with these older machines fun. And with Debian Squeeze (and fluxbox)... I could still be using a Pentium III 800mhz (which I plan to repurpose as a NAS for my LAN...) Old PCs have plenty of life left in them...

I was reading a Debian developer's blog a while back (the name of the blog and the developer escape me at the moment), but he wrote a great piece about keeping hardware and getting the most out of what you already have, rather than going into debt to be "cutting edge" for 15 minutes. I am not doing this because I'm some sort of eco-terrorist who wants to blow up SUV dealerships and live in a tree. Rather, I'm a person who likes to get his money's worth. And with my computers I have now, I get the most bang for my buck, and with low margin PC sales dominating... I can do it without breaking the bank. :)

This was not to say that those folks on the bleeding edge are somehow idiots and have too much money... I just found a neat way to continue my hobby and keep costs to a minimum. :)

Re:Windows is no longer relevant

[ilguido]

Secunia: "the most severe unpatched Secunia advisory affecting Microsoft Windows 7, with all vendor patches applied, is rated Highly critical". Kudos to MS for making (some of us believe they made) a secure OS.

Re:Windows is no longer relevant

Windows Phones have zero capability of showing email headers, so it becomes a choice of deleting the message or opening the message. When the message is opened, Windows Phones have no capability of checking a link before clicking it.

That's two security vulnerabilities security firms can add to their list against Microsoft.

Re:Windows is no longer relevant

[Hamsterdan]

and driving like you're owning the road. And don't use your flashers, I really hate it when people signal their intentions. And of course, please honk after 2ms at the green light.

And I can't have enough of your crappy sound system when you're parked right in front of my house

Re:Windows is no longer relevant

[Anachragnome]

"Rather, I'm a person who likes to get his money's worth."

Good for you. Really, I mean that. All of those old components that you save and use later are a little bit of good karma for you.

I've been managing to keep 4-5 computers going (one for each of our family members and a shop machine) and we only buy a new machine maybe once every 5 years. I save every single component, I reuse, repurpose, etc. I don't throw anything away until it is broken beyond use. But, I do not collect other peoples junk. We occasionally buy single components to upgrade--a video card here, a monitor there.

After 20 years of doing this, I've finally run out of hard drives. Them old platters just get tired of spinning, I guess. But, I can say that I've added the bare minimum of waste to the environment, I've saved our family a lot of money and I feel good about it.

Interestingly, the moment I leave the Desktop PC market and enter the tablet or smartphone market, I lose the ability to continue doing this.

Re:Windows is no longer relevant

I agree. I don't care how advanced your smart phone/tablet is. Unless it can be converted into a desktop environment that supports keyboard, mouse, multi-monitor, and multiple apps open simultaneously. The desktop will not die out.

I don't understand why everyone wants to keep declaring the PC dead, its not. When I walk into a LAN party, I don't see a single tablet or phone being used to play a game, It's all PC's. At school i don't see any phones or tablets used for presentations, that is all macs and PC's. When you look inside embedded devices (routers, modems, etc...) you wont find IOS or Android in there that is mostly dominated by Linux, or custom OS. I have yet to hear of a single App, or program that was developed on a smartphone or tablet. Heck I don't think there are even any compilers for those restricted devices. Not that it's not possible , it just does not seem like a good use of the technology.

Now if you want to know why, PC market shares are down. It's PC's last for more than a 2 year contract. This means that i can expect my PC to still be working 3,5,10, or more years from now. PC's are also easily upgradable. (even laptops cant spout that) Heck I have data on my PC that dates back far more than 10 years. If your smartphone has that than kudos to you, but i know many people who have PC's in that realm. PC's are just more reliable than your average tablet for data storage. BTW when i can store more than 10 TB on a smartphone, and have that date be virtually indestructible (meaning i can smash the phone with a sledge hammer, or drop the phone from orbit, and have it take only damage.), and alleviate the easy of theft that is currently possible with smartphones, and develop interfaces that are better than desktop for gaming and development, and make the phones as easily upgradable as a desktop, then and only then will I concede that the desktop is about to die. And i say about to die because it will still linger for several years before it actually dispersers.

Even though the smartphone is a useful tool, it is not an all purpose tool. And just because you who don't play any real games, write software, participate in cutting edge technology development, or do anything that needs a screen larger than 2.5" don't see any need to use a PC think it's dead. Does not mean it is dead, BTW if market shares, and annual profits dictated the life or death of something, then the personal computing device (yes cell phones are included) would never have become a household item. Heck even star-trek thought typing was important enough to teach it to engineers of the future...

Re:Windows is no longer relevant

[jawtheshark]

I just ordered a Celeron 867 based machine: Zotac ZBox-Nano-ID61-E. It was on sale -20% at my favourite online shop. Got it for 154,53€. Barebones, so it lacks RAM: 27,53€ and a harddisk/SSD, of which I happen to have one lying around. Still, even if I had not: 2.5" 500GB HDD it's 46,99€. Grand total of: 229,05€, which includes VAT. Round up to 240€ for shipping and you have a nifty power-sipping machine that is most likely better than your average Athlon.

As you will notice in my sig, I am a dumpster diver. I do (did, I toned down quite a lot) what you do and I have saved quite some money as you did by mixing, matching, maximizing machines. The thing is, you do put a lot of time in it and you're lying to yourself that you do it to save money. You do it because you enjoy it. If you factor in your time, you're not saving money. I realized that when I have perfectly fine Athlon 64 machines with 2GB RAM that nobody would take. I still can't help myself to pick up an old computer, but it really really really has to be something extremely good (Core 2 Duo for example is still hard to find in the dumpster, but I have gotten a Core Duo a time ago... as a laptop no less)

Anyway, what I try to say is that you're better off specifying your needs and looking for deals and things on sale. That Celeron, will do just fine as a nettop for surfing, youtube etc... Especially if the drivers are ok (I have a Atom D525, which I stopped using because it really was too slow, but another Atom 330 performed better and the difference was the chipset... Go figure. All on Linux. I found out that the D525 chipset I had sucked under Linux. Bad buy.. Should have researched beforehand). In a similar vein, I got myself a Core i7 laptop with FullHD for a mere 525€. Did I get, lucky? Hell yes! It now even has 16GB RAM because it has become so cheap.

You already realized that you don't need the top of the line. So did I. Now realize that your time is worth a lot more than the old hardware. Well, if it's a hobby... fine, but then call it a hobby stops you from spending.

Re:Windows is no longer relevant

It's amazing what old hardware will do if you don't install iTunes

Re:Windows is no longer relevant

It's the 21st century equivalent of the horse-drawn buggy.

That's why people call it a buggy OS.

Re:Windows is no longer relevant

[Sir_Sri]

this goes to the 'only one on an island not needing to lock their door'. Windows phone is too small to matter much - it's not like MS products don't have known, exploited vulnerabilities, just in terms of the most exploited ones they aren't that bad. They seem to be reasonably on top of fixing things overall. At least relatively to Java and Flash.

Re:Windows is no longer relevant

[Doctor_Jest]

Really, that's what I did with the Dell. I wanted a 64-bit machine on the cheap that had decent hard drive space out of the box, but was standard enough to upgrade when I need it (I've had this Dell now for about 2 years or so.) I also check barebone bundle prices from time to time just to see if there's a great deal I can't live without (so far, my price ceiling is about $400.) :) I know there are a few bundles I am keeping my eye on, but I haven't found a need for an 8-core Athlon with 16GB of memory. :) At least not yet, of course....

I love to tinker, too. Proprietary cases annoy me... they have to be pretty cheap to be worth my time. :)

Re:Windows is no longer relevant

[Doctor_Jest]

Thanks for the support. I sometimes get blank stares when people hear what I do with computers in my spare time. :) My only weakness is my desire to find the perfect keyboard. :) I had one once... but I traded it for some other parts many moons ago.

Re:Windows is no longer relevant

[atlasdropperofworlds]

The desktop is not going away any time in the forseeable future. People have been saying for almost 10 years now how the desktop was dead, and everyone would have laptops, yet desktops persist. Enthusiasts and gamers keep the desktop alive. Beige boxes are almost half of all desktops sold, and they are also a growing market. Laptops are also preferred by a very many people. They are effectively just desktops with screen and batteries attached. Tablets are new and great, and I forsee laptops becoming more tablet like in terms of form factor and mobility. At best buy, many laptops now have touchscreens I've noticed. Some have detachable keyboards and become very tablet like. It's exciting times.

Sent from my desktop.

Re:Windows is no longer relevant

[atlasdropperofworlds]

Be sure to provide an example of a non-buggy OS. Don't be offended if I don't wait up waiting for your reply.

Re:Windows is no longer relevant

[atlasdropperofworlds]

Just an FYI, Windows 7 Ultimate has a full Unix layer. As for the rest, beauty is in the eye of the beholder. I've yet to find anything I like about the appearance of Apple's software. Their hardware looks ok though, but they aren't unique in that regard these days either.

Re:Windows is no longer relevant

[atlasdropperofworlds]

Have they found any exploits that work reliably on Win8 yet?

Re:Windows is no longer relevant

[atlasdropperofworlds]

You mean iOS. OSX still has a pittance for market share. Besides, we just spent over a decade and a half dealing with one insecure OS, we don't want to start over with another.

Re:Windows is no longer relevant

[jawtheshark]

I built my mom a AMD-A6 3650 with 16GB RAM. Given, I had all the other stuff (nice case, etc..) already since it was the motherboard of her machine that started to get flaky, the upgrade was only 250€ or so... The price difference for "classical" 4GB was negligent. Sure, it's not octo-core, but quad-core. Sure, she has no use for it, but why not? Incidentally: that was a CPU/Motherboard combo on sale too.

Re:Windows is no longer relevant

speak for yourself!

Re:Windows is no longer relevant

[cbhacking]

While I agree with you in general, there are actually apps which are developed on smartphones. As an example, WP7 has an app (written by MS) called "TouchDevelop" that's basically a touch-oriented scripting engine. It supports packaging scripts developed with it as apps and submitting them to the store, and some people have taken advantage of this.

It's slow and has an unfortunate effect on battery life when running anything remotely real-time, but it works, it's free, and it's really easy to use... and it's only available on the phone. There may be similar apps on other phones; I don't know.

Also, I personally have written and executed scripts on the Surface RT tablet, just to see if I could (it's actually really easy). I didn't try to package them as apps, though.

Re:Windows is no longer relevant

[cbhacking]

You can copy link addresses and paste them into a text window, rather than just opening them in the browser. It's a bit messy, but you are factually incorrect on that point.

However, the first point is (officially) correct. Technically you *can* read them, but it requires some hacks.

Re:Windows is no longer relevant

[Nizumzen]

You do realise that older computers use more electricity than newer ones don't you? So by solely using older computers you are actually using more electricity and thus they are costing you more money for less performance. Keeping up-to-date is not solely about power but also about power consumption. My new computer which is about 5x faster than my old one also uses about 100w less.

Re:Windows is no longer relevant

[PuZZleDucK]

I'm not developing on a fucking smart phone, so suck an egg.

I am ... must suck to have your phone!

Re:Windows is no longer relevant

[Galestar]

Windows is no longer the 800 lb gorilla - Apple iOS is.

iOS is 2nd in market share in mobile just like Apple is 2nd in market share on desktop. How does coming in 2nd in every market they touch make them the "800 lb gorilla"?

Re:Windows is no longer relevant

[helix2301]

I agree it's hard to judge as an entire marketplace. I mean Microsoft might not be on he list cause the PC to tablet market is so different number wise. I would like to see a top 10 for PC then top 10 for smartphones. Plus like mentioned people due get longer out of PCS then phones and tablets not just due to build but because PCS can be repaired where phones and tablets are disposable.

In other news MicroSoft purchased security firm...

And in other news MicroSoft purchased security firm Kaspersky for undisclosed billions of dollars in gold...
[/humor] - just kidding!

Surprised?

[Horshu]

Less surprising is that the top vulnerabilities are Oracle's Java and Adobe products. In fact, Adobe can claim 5 of the top 10. Too bad I still have Reader and Flash on my system, but Java was purged from my system about a week after I stopped doing Java development.

Re:Surprised?

There hasn't been much in terms of Reader vulnerabilities lately. Certainly nowhere near at the rate that we used to see.

Re:Surprised?

[Colonel+Korn]

Less surprising is that the top vulnerabilities are Oracle's Java and Adobe products. In fact, Adobe can claim 5 of the top 10. Too bad I still have Reader and Flash on my system, but Java was purged from my system about a week after I stopped doing Java development.

Just to reinforce the picture of Java as crapware, it blows my mind that Oracle packages shit like the Ask Toolbar in the regular security updates and you have to uncheck a box in order to prevent its installation. Oracle is a Zynga-level company.

Re:Surprised?

[Deathlizard]

I'll at least say that Adobe is getting it. All of their newest versions of reader and Flash have the option to automatically update without prompting.

Oracle has no clue. If anyone reading this works for Oracle, I want you to do the following. Also, If you know someone who works for Oracle. Please forward this to them and ask them kindly to follow the instructions below.

1) Walk into the office of the person who writes the update system for Java.
2) Scream at the top of your lungs "AUTOMATICALLY INSTALL UPDATES WITHOUT PROMPTING!!"
3) Kick person as hard as you can in the Nether Reigons.
4) Repeat step 2 and 3, but Scream "AUTOMATIC 64Bit JAVA UPDATER" Instead.
5) Repeat entire process daily until projects mentioned in #2 and #4 are completed.

Either the fear of getting kicked in the beanbag will motivate the person to make an update process that actually works, or the replacement coder hired to fill in for said worker due to work related groin injuries will.

Re:Surprised?

[Rinnve]

Oracle packages shit like the Ask Toolbar in the regular security updates and you have to uncheck a box in order to prevent its installation.

What? I'm using Java applications for several years, but I've never ever seen nor Ask Toolbar nor anything else "extra" in JRE security updates.

Re:Surprised?

[RyuuzakiTetsuya]

Is it just the windows version of java? What about tomcat and other enterprisey java packages? Do they suffer from the same flaws?

Re:Surprised?

[malakai]

They still do it. See here: http://www.java.com/en/download/faq/ask_toolbar.xml
From Java.com:

The Ask Toolbar is integrated with the Java download. During the installation of Java, users are presented with an option of downloading the Ask Toolbar

Also, although it's fixed now, for a time, you couldn't direct link to the Win x64 JRE. It forced you through a page, that would check your browser and give you a x32 if your browser was 32bit. I used to have to fire up IE 64 on Server 2008 to grab a JRE to install on my 64bit os.

Re:Surprised?

Then you aren't looking. First, Oracle doesn't issue security updates (patches). They issue an entire new version which uninstalls the old version and then replaces it with a new one. They don't know how to patch. Next, like the GP indicated, they do indeed push other things with their installs. Often it is the Ask Toolbar. Other times (before they moved on) it was open office. Now, if you are getting the "updates" through work and having them pushed to you then they are taking care of getting rid of the foistware for you.

Re:Surprised?

[Horshu]

Adobe's getting the autoupdate part, but they're using it as a crutch for their inability to test code thoroughly before publishing. Auto-updating is great to have and good to use, but when the same product is being updated every few weeks (maybe sooner...I just go by how often Adobe updates whenever I reboot my machine) for years on end, it should tell the product management something.

Re:Surprised?

[Jesus_666]

Given that the JRE comes with a complimentary browser toolbar that you have to manually uncheck in the installer (for each update) and that Flash can't be installed without closing every browser, I want neither of those components to automatically update itself. Asking me is fine but as long as their update routines want to install crapware (or require manual intervention in the case of Adobe) fully automatic updates don't seem like a particularly good idea.

Re:Surprised?

Some of us are dependent on Java. Show me a full-featured 3D molecular viewer, including it's own scripting language, that runs in the browser, that isn't written in Java. We have Jmol. The closest competitors to Jmol are also written in Java. People have started projects not in Java, but they are extremely primitive at this time.

Re:Surprised?

[dissy]

What? I'm using Java applications for several years, but I've never ever seen nor Ask Toolbar nor anything else "extra" in JRE security updates.

Then you may want to go back to all those vulnerable systems you deployed which clearly have NEVER had a Java update of any kind installed to them in the past 4 years...

Re:Surprised?

[Blakey+Rat]

I'll at least say that Adobe is getting it. All of their newest versions of reader and Flash have the option to automatically update without prompting.

It claims to. I've never seen it actually successfully pull it off.

Even worse, it only seems to even *check* for updates when I reboot-- so like maybe twice a month, max.

Re:Surprised?

[ILongForDarkness]

Not surprising I guess but that means if you avoid flash and Java you are a long way to avoiding problems (outside of the normal AV and update activities). Both are really hard to avoid in the modern world though. I wonder when does Oracle start getting a bad rep for security out of this? Will customers start wondering about dropping $100k on a db server from the same company that got there phone hacked with a 3 month old bug?

Re:Surprised?

That's because it isn't included in any updates. It only comes up when you first install Java.

Re:Surprised?

It only checks when you restart and can only install when no browser windows are open, otherwise it will wait until you restart the whole computer again to replace the files that were in use.

Re:Surprised?

Thank you for bringing that up. The Ask Toolbar prompt was infuriating. Apparently I am not alone. I've spent next couple of days replacing every single java tool I had with an alternative, and am proud to say, I no longer have JVM running on my machine. I really hope its permanent.

Re:Surprised?

[dkf]

Is it just the windows version of java? What about tomcat and other enterprisey java packages? Do they suffer from the same flaws?

Not nearly so much. They don't use the same model as java-in-the-browser, and so don't suffer from the same threats. You have to work at it to make tomcat insecure from its Java nature; though you can of course deliberately install insecure webapps in it, that's about as significant as running bad CGI scripts inside Apache: idiots will be idiots and crap programmers will be crap programmers.

Enterprisey Java programs tend to not run arbitrary code that someone "out there on the web" specifies. In fact, they spend quite a bit of effort to make sure that they don't. (They also tend to run on systems that don't even have a web browser installed.)

Re:Surprised?

[Deathlizard]

hmm. forgot about the crapware.

Probably need to add a #5 and #6 to that list with "NO CRAPWARE" as the selling point, although I guess that would go to whoever handles the installer.

Re:Surprised?

Companies get paid per install. One company I know of was going to get $5 per install of Yahoo toolbar through their driver and software suite for their printing devices. Not sure if they still have that agreement with Yahoo these days.

Re:Surprised?

Try Foxit Reader! I was so happy when I uninstalled Adobe's PDF reader.

Re:Surprised?

[toddestan]

It claims to. I've never seen it actually successfully pull it off.

It seems to work on Windows XP if you are an administrator. I don't think that Adobe fully understands UAC yet, despite it being around since Vista launched.

Apple Shows Up Twice?

[jarich]

Looks like MS is being dethroned. Between Apple, Oracle, and Adobe it's not looking good.

Re:Apple Shows Up Twice?

[Seeteufel]

It is becoming less relevant. Still it is bad that Microsoft does not disclose the source code of its applications. That means thousands of unfixed security vulnerabilities that otherwise would be found.

Re:Apple Shows Up Twice?

So you are assuming that all those OSS apps out there are perfect just because you can get the source code??

Please! 99.9% of users can't fix a simple buffer overflow crashing their apps, never mind obscure stuff. Just because there is code available, does not make it more secure! Aside from the main projects, you end up with 1 or 2 part time devs, not hundreds of devs. Code quality is all over the place.

Just look at the code quality in Debian archive. It is all over the place! Some of it is excellent. Most is good enough. But some is shit.

That means thousands of unfixed security vulnerabilities that otherwise would be found.

And finally, you are assuming that all those developers working at Microsoft are idiots that can't code their way out of a wet paper bag. Sorry to disagree with you there. There are probably *less* security issues in Windows or Office than under some of the code in the Linux kernel or Libreoffice. The simple reason has *nothing* to do with OSS, but just size of the user base. Larger user base will result in more errors being found and fixed.

OSS is simply more flexible solution. I love it. I can add my own features if I care to. But I would not assume that OSS automatically means more secure or better coding standards!!!

Re:Apple Shows Up Twice?

It's a good thing we have you to go through every line of OSS code to find all the vulnerabilities. Moron.

Re:Apple Shows Up Twice?

[marcosdumay]

It is becoming less relevant.

A small correction, but the end user focused software my MS is becomming less relevant. That's where most of the bugs always were, and that's exactly what people are not using anymore. Server software is also getting less relevant, but it doesn't matter on this context. Kernel and libraries are as relevant as they always were (ok, a tiny bit less).

What is gaining relevance now is the crapware that people must install because Windows does nothing out of the box.

Strange list

Many of the entries appear to be for identical things

DoS and CSS definitions

[ferar]

"Oracle Java Multiple Vulnerabilities: DoS-attack (Gain access to a system and execute arbitrary code with local user privileges) and Cross-Site Scripting (Gain access to sensitive data). Highly Critical."

Seems to be prepared for someone who has no knoledge on what DoS and CSS are.

NOT surprised @ all... apk

See subject-line above - MAN: This article's findings MUST have "stunned" the "Pro-*NIX" crowd here into silence... lol!

* Ah yes, "will wonders NEVER cease"...

BESIDES - it's NOT like you can't secure Windows well: It's VERY "doable" as is, just takes time & effort to an extent!

APK

P.S.=> I wish Windows 8 didn't have "METRO", or @ least allowing an OPTION to flip back to the classic Win9x style interface shell that I've used since 1995 or so (which, from what hairyfeet, a member here I am SURE you all know, told me that Mr. Sinofsky @ MS KILLED that possibility) - it's got a few things I really like that relate to security, such as:

---

1.) Guard pages (this supplements ASRL & DEP iirc) on the heap -> http://news.softpedia.com/news/Chris-Valasek-The-Windows-8-Heap-Manager-Is-the-Most-Secure-to-Date-282466.shtml

2.) AND, more -> http://www.techradar.com/news/software/operating-systems/windows-8-security-explained-1107206

---

And, of course, "self-terminating" services - which isn't security-related, but rather, performance-oriented!

(Which alleviates the need to "tweak/tune" your services, which those interested in performance on Windows have been doing for decades, myself included since Windows NT 3.51 onwards)...

I've said I don't predict success for MS here on the PC desktop, but I will say that METRO does make sense on say, smartphones &/or tablets though... nice part is?

All of these improvements I LIKE, will make their way into Windows 9, & hopefully MS "rights things" in regards to this new interface on the desktop, leaning a lesson - but, we'll see how it all goes...

...apk

not really

Anytime a vulnerability occurs on a multi-platform application it shows up on all of the platforms. The only time this doesn't happen is if the application/library has multiple sources - then it depends on the distribution.

The Java problems are most likely in the runtime that was open sourced - but still in use by both sources of the runtime.

Fluff.

[bmo]

This article is nothing but Softie cheerleading without any meat. You have to go to the report itself for any real facts.

Indeed, this paragraph explains *why* Java exploits are common in the wild.

Java vulnerabilities were exploited in more than 50% of all attacks. According to Oracle, different versions of this virtual machine are installed on more than 1.1 billion computers. Importantly, updates for this software are installed on demand rather than automatically, increasing the lifetime of vulnerabilities. In addition, Java exploits are sufficiently easy to use under any Windows version and, with some additional work by cybercriminals, as in the case of Flashfake, cross-platform exploits can be created. This explains the special interest of cybercriminals in Java vulnerabilities. Naturally, most detections are triggered by various exploit packs.

In other words, if you do auto-updates of java and stuff like it, you are far less vulnerable. I don't think Windows even has a facility to do this, one must roll one's own for each package.

Keeping up to date with Oracle Java on Debian style systems:

http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html

--
BMO

Re:Fluff.

>http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html

Those long instructions on the command line sure look easier than installing from the Java update prompt on windows and like something mom would do. /sarcasm

>Oracle Java 8 should only be used for testing purposes and/or by developers. Since this is a preview release, you'll encounter bugs!

Indeed.

Stop making retarded excuses for one the biggest software companies, Oracle(or Sun) being unable to roll their own update mechanism.

Re:Fluff.

[bmo]

>Those long instructions on the command line sure look easier than installing from the Java update prompt on windows and like something mom would do. /sarcasm

"What is copy and paste, Alex?"

>Stop making retarded excuses for one the biggest software companies,

I wasn't making excuses, the report said what it said. The repo also has Java 7. But hey, let's not let facts get in the way of a good rant.

Personally, I use the IcedTea java, so I really don't have a dog in this fight.

--
BMO

Just too bad

Just too bad it's no longer a good *desktop* OS!

Follow the money!

Windows users, both enterprise and home, pretty much all use AVs and since Windows 8 comes with one built in, and SCCM 2012 takes care of that in the enterprise at a low cost relatively speaking, there is no room for market growth there...the slime that run the AV corporations are painting their sites on iOS and Android.

Follow the money, whats the publisher selling?

auto-updates of java

[Tim+Ward]

But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.

Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.

Re:auto-updates of java

[Carcass666]

But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.

Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.

This. For those running eBusiness Suite and also have to use sites with applets, companies are caught between the rock of having to update Java to keep your browsers happy and the hard place of incompatibility of applications with newer versions of Java. Yes, you can load multiple versions of Java, but keeping things automatically updated, and keeping each application/browser using the correct JVM? Ouch. The recent issues over the past few months with poorly executed changes in the security model (broken applets that leverage AJAX), Apple's insistence (now abandoned) on distributing its own, outdated Java, and the mediocre UI stack make Java on the desktop a nightmare. I love my glassfish servers, but Java needs to be abandoned on the desktop. I think most people have given up on "write once, run anywhere", they would settle for "write once, run consistently". The Java brand suffers because of the desktop nonsense, which is a shame because it is so powerful and useful on servers.

Re:auto-updates of java

[jbengt]

#Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured . .

Exactly. I do work for a client that uses Primavera - which we have to access thru a browser for all records and communication on their construction projects. A recent update to their installation required us to install a very particular Java version that is not at all up-to-date or secure, fuck whatever else we might need Java for. The kicker is that both Java and Primvera are Oracle products.

Re:auto-updates of java

Off the cuff, as I have no experience with Primavera, but why don't you have a browser with the navigation bar and the like disabled that uses Primavera with the custom version of java installed just for that browser. Then have the regular browser set to use the lastest version of java. We've done that for browser based applications that require their own versions of java. Works quite well for us.

Re:auto-updates of java

[mrmeval]

ADP payroll systems is forcing the use of an ancient version of java and they refuse to fix their broken app.

http://www.adp.com/

Example there are plenty more.
http://ww2.valdosta.edu/helpdesk/news/042611a.shtml

Some payroll system.

Re:auto-updates of java

[Bigbutt]

Yep. I have some Dell blade chassis that require a very very specific version of Java. The next iteration of Java after that fails to start the console for access to the blades. I installed VirtualBox with Windows XP and the specific version of Java (something like 1.4.14 where 1.4.15 fails) so I can continue to manage the Dell chassis. Fortunately we're in the process of replacing them with newer equipment so I can flush the XP VM.

[John]

Re:auto-updates of java

Heck, even keeping the built-in Java database in Apache Open Office working across updates is iffy and unpredictable. On one WinXP machine, it would accept Java 7 at around 7u5. Another WinXP machine is up to 7u9 now, and AOO still refuses to use any Java other than Java 6. Linux is about the same deal, only that AOO is happy to work with GNU's Java. See ya, Oracle.

Oh, and let's not forget Win7, where it seems to be that for the full experience, you need both 32-bit Java and 64-bit Java, and I'm too new to Win7 to figure out how to engage the auto-update feature for either one.

I miss Sun Microsystems.

False

[thetoadwarrior]

Windows is still very insecure. After all it has that whole list of software exposing it to danger.

Re:False

Windows is still very insecure. After all it has that whole list of software exposing it to danger.

Salshdot: where left-over MS haters from the 90s still have a voice.

Windows 8 is the most secure OS on the market

Link to the report

http://www.securelist.com/en/analysis/204792250/IT_Threat_Evolution_Q3_2012

The real reason MS escaped the list ...

[Mr.+Lwanga]

They finally paid off the FSB.

Windows "security-hardening" is simple... apk

To make it so, I use CIS Tool (highly esteemed stuff -> http://www.computerworld.com/s/article/9018362/CIS_tool_aims_to_help_federal_agencies_check_Windows_security_settings )

Yes, it has a Windows 7 ready model now too (though I used the older model since I wrote that version of my guide BEFORE Win7 came out).

Also, sadly? It's not FREE like for Windows 2000/XP/Server 2003 anymore though, but... they give you a 30-day trial, & with THAT? You can easily export out the settings for registry entries & SAVE them for future subsequent installations to have the SAME benefits!).

It's easy to use, & "FUN" in a nerdy-kind-of-way: Almost like running a PC-Performance benchmark, albeit, instead for security-hardening purposes.

http://www.google.com/#hl=en&tbo=d&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&oq=%22HOW+TO+SECURE+Windows+2000%2FXP%22&gs_l=hp.3..0i30.1361.6001.0.6150.31.28.0.0.0.0.413.5287.0j12j10j1j1.24.0.les%3Bcqn%2Cfixedpos%3Dfalse%2Cboost_normal%3D40%2Cboost_high%3D40%2Ccconf%3D1-2%2Cmin_length%3D2%2Crate_low%3D0-035%2Crate_high%3D0-035%2Csecond_pass%3Dfalse%2Cignore_bad_origquery%3Dtrue..0.0...1c.1.iYozGUxANpo&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&fp=e68bd22b45af1f37&bpcl=37189454&biw=1080&bih=676

* It's reports like this one from Kaspersky (albeit, MANY years later than my guides) that only reinforce its points by showing you WHERE the threats mostly come from online - then, you just "neutralize" them!

(Eventually it's just a matter of "smarter surfing" which comes after experience or guidance from those who look out & care for you - a lot of folks call it "user education"...)

E.G.:

To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE

I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:

http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text

& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml which Neowin above picked up on & rated very highly.

That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...

Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:

---

1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ (see January 2008))

---

Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:

---

SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. Thi

Re:Windows "security-hardening" is simple... apk

All his detractors have's an unjustified downmod but no facts why.

So what?

It's not like M$ products don't have bugs that can/will be exploited in the future. This article is NOT saying the M$ is free and clear of bugs...it is simply stating the M$ is not in the top 10. What this really means is that there are more juicy products to rape than what M$ is currently producing.

What remains to be seen is which bugs in the top can lead to the raping of a M$ OS. Or Linux, or MAC, or ....

Re:So what?

You used four $ signs in referring to Microsoft, which makes your comment four times as irrelevant.

Re:So what?

Sorry, that fifth one slipped under the radar.

That's because...

even the black-hats found it difficult to use Windows after Vista.

Please.

Windows is an insecure POS built by greedy corrupt developers. The fact that it doesn't show up on some pissant list asks one question -- how much money did this author, their website, the OP here and the people who posted positive M$ comments get paid to say these things.

Kaspersky is Micro$oft's bitch, obviously. Fucking communists.

Re:Please.

Give that man the clap!

No, they're not getting it...

[Aphrika]

They don't understand that in businesses, you don't run users as admins, which is what the Adobe Updater appears to require for autoupdates.

What they need to do is bring out a decent admin tool like WSUS for their products which enables centralized administration. Ditto Apple, Firefox, Java and a truckload of other software that would probably have a bigger market share if they just understood that where business is concerned with patching and security; Microsoft 'just gets it'. That's one of the key reasons why IE is the business browser of choice, because patching it is easy and quick, not convoluted and frustrating.

That said, it is possible to centrally manage Macs, to a degree...

Re:No, they're not getting it...

[random_nb]

Reader's automatic updater works without admin rights on Vista or newer, but requires a background service. Flash Player's works on XP or newer without admin rights, and fires from Windows Task Scheduler just like Google Chrome's.

Misleading summary and article

[ilguido]

The article is about the most common vulnerabilities on "pc's with kaspersky software installed": it is not about most secure software. This report just says that many people, who use kaspersky, do not keep updated their java and flash. Secunia rates the unpatched vulnerabilities of Windows 7 as highly critical. It's just that big companies (the most likely customers of kaspersky) don't use W7 as much as Java.

YES! f4...

and as BSD sinks Erosion of user progrees. In 1992, operating systems, would mar BSD's BSD has always OF AMERICA) today, on an endeavour

Time for all other to clean up their acts

[WindBourne]

Cracking and Virus writing has NEVER been about the number of systems like the MS fanbois love to claim. It has always been about what is easier to attack. At this time, all of the other systems need to focus on security as well. Regardless, this reminds me of the bear joke:
bear coming in the back of a tent, and one guy putting on shoes. Other screaming that they have to outrun the bear, and asks first guy why putting on shoes. He says that he does NOT have to outrun the bear. He simply has to outrun the other guy.

Re:Time for all other to clean up their acts

[Gordo_1]

Cracking and Virus writing has NEVER been about the number of systems like the MS fanbois love to claim. It has always been about what is easier to attack.

Um, it's about both. Cracking and virus writing these days is mostly about making money. When your primary goal is to make money, you go for the low hanging fruit: Easy to find exploits that exist on as many systems as possible = biggest bang for your cracking/virus writing buck.

Re:Time for all other to clean up their acts

[cbhacking]

Actually, even the low-hanging fruit isn't enough. Malware is an illegal business; engaging in it has risks. Hypothetically, if I could write the code for an OS X botnet worm at no cost (say, an evening of my own time), and earn $10 for each Mac infected, or spend $500000 (say, a government project) developing something equivalent for Windows, the Windows option is by far the better one even though OS X is the low-hanging fruit. Once you've managed to infect 50k more Windows boxes than OS X ones - which will happen quickly if your malware has good ability to spread at all - you've come out ahead by targeting the much more expensive (difficult) Windows. That's the simple fact of why market share matters to malware.

Of course, if you're already going to break the law by putting out the one version, you'd probably go whole hog and put out both versions (in this little sample). Maybe you wouldn't, though, if doing so increased your risk of discovery by more than the 11% extra cash you'd take in.

Java, Flash and Acrobat Reader

Bloatware with vulnerabilities. Anybody surprised?

Microsoft prods are no longer interesting

[gelfling]

All the good attacks are at facebook etc. b

Re:Microsoft prods are no longer interesting

Microsoft software is still very interesting because it is the choice of banks and other big businesses.

Not vulnerable, but still target

[manu0601]

MS products do not have top vulnerabilities, but they are still top targets: most malwares are still designed for Windows. It is just that the attackers reach the target by different vulnerabilities. It is therefore still true that using Windows poses a risk.

Windows safer says Microsoft partner ..

[dgharmon]

"Microsoft products no longer feature among the Top 10 products with vulnerabilities"

"Kaspersky Lab is a Microsoft Gold Certified Security Solutions Partner and is currently working on several joint projects with Microsoft". link

interesting

considering Microsoft's stuff is still basically pre-security-conscious with bolt-ons. Amazing that it works as securely as it does. ty Bill and stephen

Partial Unix compatibility, maybe.

While I am a big fan of Win7 Ultimate, I think calling the posix layer a "full Unix layer" is a bit of a stretch.